Domain 10 - Application Security Flashcards

1
Q

What opportunities does cloud present for application security?

A
  • Higher baseline security - CSPs have economic incentives to maintain high security levels; as trust is core to their business model. Multiple security standards and baselines from different verticals enhances overall security
  • Responsiveness - API based enables responsive security program -e.g. change firewall rules, or update servers
  • Isolation - each cloud application can be deployed in its own virtual network (VPC) limiting attack surface, and enabling granular security controls
  • Independent VMs - use of microservice on smaller VMs - smaller attack surface; granular security controls
  • Elasticity - auto scaling means manual processes won’t work; encourages use of immutable servers; increased operational security; remote admin can be disabled
  • DevOps - automation of application dev & deployment (e.g. CI/CD pipelines, IaC)
  • Unified Interface - for infra and application services; not managed by different teams reducing failures.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the challenges that Cloud presents to application security?

A
  • Limited detailed visibility
  • Increased application scope as dev and ops are integrated; both may need access to the management plane - e.g. Applications may need access to the management API such as creating or deleting an S3 bucket.
  • Changing threat model - needs to factor in cloud provider responsibilities
  • Reduced transparency (especially in PaaS where some services are provided by CSP - e.g. Message Queues)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the key phases of any SSDLC?

A

There are may SSDLC models (MSFT, NIST, ISO), but nearly all of them can be grouped as below:

  1. Secure design and development - includes training, requirements, design, implementation, testing
  2. Secure deployment - moving from dev to test to stage to production
  3. Secure operations - continue operating securely - WAFs, Vulnerability assessment, change management, config management etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

In SSDLC, what are the stages in secure design and development phase?

A
  1. Training - secure coding practices, security tests, technical training (general and CSP specific). Dev, Sec and Ops team have to be trained
  2. Define: Security functional requirements; regulations and policy driven requirements
  3. Design - threat modeling, build in controls, leverage cloud capabilities (e.g. serverless).
  4. Develop - CI/CD, code review, SAST/DAST
  5. Test: SAST/DAST/IAST, Unit, Functional, Regression testing, staging; integration of testing into the CI/CD pipeline.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

In SSDLC, what are the stages in secure deployment phase?

A
  • Automated security testing integrated into the CI/CD pipeline.
  • Code review: often manual; integrated via Approval Gates in the CI/CD stage
  • Testing: Unit, regression and functional tests
    -SAST - examine APIs to see if there are embedded credentials
  • DAST - fuzzing, web vulnerabilities
  • IaC makes immutable architectures possible
  • IaC enhances security - operational environment can be more tightly locked down
  • Security testing can be integrated into the CI/CD pipeline.
  • Protecting the pipeline itself becomes important.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How does cloud impact application design and architectures?

A
  • Segregation by default - use of SDN to segregate workloads
  • Immutable infrastructure
  • Serverless (Lambda, API Gateways, PaaS)
  • Microservices
  • Event driven security
  • Software-defined security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is DevOps?

A
  • Closer integration of Development and Operations
  • Use of automation for the deployment process through CI/CD
  • Culture, Philosophy, Processes and Tools
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the benefits of DevOps?

A
  • Standardization - CI/CD pipelines produce artifacts uniformly for Dev/Test/Prod
  • Automated testing - integration of testing with CI/CD pipelines
  • Immutable: pipelines produce master images for VMs, Containers, and Infra quickly for automated deployments
  • Improved auditing and change management - who did what, when? Gates for change approval
  • DevSecOps - integration of security within the Dev and Deployment process.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly